Is Google Analytics Illegal?
On June 23, the Italian Data Protection Authority declared the implementation of Google Analytics on a website to be unlawful.
This was because the personal data of European users was transferred to Google servers located in the United States, without guaranteeing adequate levels of privacy protection according to GDPR regulations.
What is Google Analytics?
Google Analytics is a free web analytics service provided by Google that allows website owners to analyze detailed statistics about website visitors. The service is used for internet marketing and by webmasters.
The illegitimacy of Google Analytics 3 stems from the fact that the tool transfers user data to the United States. The issue arises because, in terms of privacy, the United States is governed by a different legal framework from Europe, which does not guarantee the same level of protection provided within the European Union through the GDPR.
Why Google Analytics Does Not Comply with GDPR
Websites collect information through cookies sent to users’ browsers regarding how users interact with the website, its individual pages, and the services offered.
The collected data includes:
- unique online identifiers that allow the identification of the browser or device used to visit the website
- address, website name, and browsing data
- browser-related information, such as operating system, screen resolution, selected language, date and time of the website visit
- IP address of the device used
An aggravating factor is that a user browsing a website may be logged into their Google account, meaning the data listed above could be associated with other information in that account. For example, the email address, which serves as the account user ID, phone number, and additional personal data such as gender, date of birth, or profile picture.
The Italian Data Protection Authority therefore stated that the use of Google Analytics 3 does not comply with GDPR because it involves transferring user data to the United States, a country without an adequate level of protection.
A few days ago, the Italian Data Protection Authority issued a warning to Caffeina Media srl, which was using Google Analytics 3 on its website, asking the company to remove it within 90 days. In practice, the data processing methods of Google Analytics 3 do not comply with GDPR requirements because the tool transfers user data to the United States without adequate safeguards. Among the transferred data is also the IP address of visitors, which is considered personal data in all respects.
The Authority warned this company, but the recommendation to stop using Google Analytics 3 informally applies to all websites using Google’s tool, because the issue is widespread.
So What Should You Do?
The situation is still evolving. The measure only partially clarifies it, while also increasing uncertainty, because it is not clear what may happen now to those who continue using Analytics.
To simplify matters, Google has already taken action and launched the new service Google Analytics 4 (GA4), which, according to the information available, should solve the problem at its source.
If you have not already completed this transition, we can create a Google Analytics 4 property for you and allow you to continue monitoring events on your website, while ensuring a higher privacy standard. Contact us!
